PHP :: Bug #31759 :: urldecode security issue, please read before rejecting

Bug #31759	urldecode security issue, please read before rejecting
Submitted:	2005-01-30 01:29 UTC	Modified:	2005-01-30 17:31 UTC
From:	ieb9 at tfd dot co dot uk	Assigned:
Status:	Not a bug	Package:	*General Issues
PHP Version:	4.3.10	OS:	Linux RH9, Apache 2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ieb9 at tfd dot co dot uk
New email:
PHP Version:		OS:

New Comment:

[2005-01-30 01:29 UTC] ieb9 at tfd dot co dot uk

Description:
------------
Before you say no, please read.
I have recently seen a hacker install a rootkit using URL decode. It was outfault for not having the right version of phpBB.....

but we did have a safe apache install with all the right permissions and all the things in the right place and the lates kernel patch. The only reason we notices was due to a strange hardware configuration that caused the hacker problems when the started to insert code into /dev/kmem

However, looking at the code in phpBB, the commands they executed I found that they could do exactly the same think on at least 5 other php applications. eg versions of mambo, phpBugTrak, postNuke (and not just the phpBB plugin)

From what I could see the exploit only used the urldecode function and no other libraries, if this is the case, could you please fix the problem before it becomes a real issue. I think the hacker used this code to initiate the root kit installation


http://downloads.securityfocus.com/vulnerabilities/exploits/phpBBCodeExecExploitRUSH.pl



Reproduce code:
---------------
I dont think you really want me to post this.

Expected result:
----------------
An open tcp channel where I can get bash shell access as the apache user on the exploited box, then inject the kernel system call table and install a rootkit

Actual result:
--------------
A hacked machine (luckilly for us caught by a bit of Cisco hardware)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-30 04:21 UTC] rasmus@php.net

This has nothing to do with urldecode.  It has to do with what the applications do with the data after urldecoding it.  In the case of phpBB they passed it directly to a preg_match /e which executed the decoded string.  There is nothing we can do about people writing applications that take user data and pass it directly to functions that execute it.  urldecode() is working exactly as it was designed to work.

[2005-01-30 17:31 UTC] ieb9 at tfd dot co dot uk

My applogies, I will look at the applications in detail. 
Someone has pointed out that double parsing circumvents 
the normal security checks 

eg
%2527. and .%2527 

is that true ?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Sep 13 01:01:28 2024 UTC